http_aws_sigv4: remove useless assignment

This code assigned the variable the same value it already had

Spotted by CodeSonar

Closes #13426

lib: reduce use of strncpy

- bearssl: select cipher without buffer copies
- http_aws_sigv4: avoid strncpy, require exact timestamp length
- http_aws_sigv4: use memcpy isntead of strn

lib: reduce use of strncpy

- bearssl: select cipher without buffer copies
- http_aws_sigv4: avoid strncpy, require exact timestamp length
- http_aws_sigv4: use memcpy isntead of strncpy
- openssl: avoid strncpy calls
- schannel: check for 1.3 algos without buffer copies
- strerror: avoid strncpy calls
- telnet: avoid strncpy, return error on too long inputs
- vtls: avoid strncpy in multissl_version()

Closes #12499

show more ...

http_aws_sigv4: canonicalise valueless query params

Fixes #8107
Closes #12244

lib: provide and use Curl_hexencode

Generates a lower case ASCII hex output from a binary input.

Closes #11990

http_aws_sigv4: fix sorting with empty parts

When comparing with an empty part, the non-empty one is always
considered greater-than. Previously, the two would be considered equal
whi

http_aws_sigv4: fix sorting with empty parts

When comparing with an empty part, the non-empty one is always
considered greater-than. Previously, the two would be considered equal
which would randomly place empty parts amongst non-empty ones. This
showed as a test 439 failure on Solaris as it uses a different
implementation of qsort() that compares parts differently.

Fixes #11855
Closes #11868

show more ...

http_aws_sigv4: handle no-value user header entries

- Handle user headers in format 'name:' and 'name;' with no value.

The former is used when the user wants to remove an internal l

http_aws_sigv4: handle no-value user header entries

- Handle user headers in format 'name:' and 'name;' with no value.

The former is used when the user wants to remove an internal libcurl
header and the latter is used when the user actually wants to send a
no-value header in the format 'name:' (note the semi-colon is converted
by libcurl to a colon).

Prior to this change the AWS header import code did not special case
either of those and the generated AWS SignedHeaders would be incorrect.

Reported-by: apparentorder@users.noreply.github.com

Ref: https://curl.se/docs/manpage.html#-H

Fixes https://github.com/curl/curl/issues/11664
Closes https://github.com/curl/curl/pull/11668

show more ...

aws_sigv4: the query canon code miscounted URL encoded input

Added some extra ampersands to test 439 to verify "blank" query parts

Follow-up to fc76a24c53b08cdf

Closes #118

aws_sigv4: the query canon code miscounted URL encoded input

Added some extra ampersands to test 439 to verify "blank" query parts

Follow-up to fc76a24c53b08cdf

Closes #11829

show more ...

http_aws_sigv4: skip the op if the query pair is zero bytes

Follow-up to fc76a24c53b08cdf

Spotted by OSS-Fuzz

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=621

http_aws_sigv4: skip the op if the query pair is zero bytes

Follow-up to fc76a24c53b08cdf

Spotted by OSS-Fuzz

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62175
Closes #11823

show more ...

http_aws_sigv4: canonicalize the query

Percent encoding needs to be done using uppercase, and most
non-alphanumerical must be percent-encoded.

Fixes #11794
Reported-by: John

http_aws_sigv4: canonicalize the query

Percent encoding needs to be done using uppercase, and most
non-alphanumerical must be percent-encoded.

Fixes #11794
Reported-by: John Walker
Closes #11806

show more ...

lib: add ability to disable auths individually

Both with configure and cmake

Closes #11490

awssiv4: avoid freeing the date pointer on error

Since it was not allocated, don't free it even if it was wrong syntax

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=619

awssiv4: avoid freeing the date pointer on error

Since it was not allocated, don't free it even if it was wrong syntax

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61908

Follow-up to b137634ba3adb

Closes #11782

show more ...

lib: fix aws-sigv4 having date header twice in some cases

When the user was providing the header X-XXX-Date, the header was
re-added during signature computation, and we had it twice in

lib: fix aws-sigv4 having date header twice in some cases

When the user was providing the header X-XXX-Date, the header was
re-added during signature computation, and we had it twice in the
request.

Reported-by: apparentorder@users.noreply.github.com

Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>

Fixes: https://github.com/curl/curl/issues/11738
Closes: https://github.com/curl/curl/pull/11754

show more ...

checksrc: fix SPACEBEFOREPAREN for conditions starting with "*"

The open paren check wants to warn for spaces before open parenthesis
for if/while/for but also for any function call. In

checksrc: fix SPACEBEFOREPAREN for conditions starting with "*"

The open paren check wants to warn for spaces before open parenthesis
for if/while/for but also for any function call. In order to avoid
catching function pointer declarations, the logic allows a space if the
first character after the open parenthesis is an asterisk.

I also spotted what we did not include "switch" in the check but we should.

This check is a little lame, but we reduce this problem by not allowing
that space for if/while/for/switch.

Reported-by: Emanuele Torre
Closes #11044

show more ...

http_aws_sigv4: fix scan-build "value stored to 'ret' is never read"

Follow-up to 495d09810aa9a

Closes #10766

aws_sigv4: fall back to UNSIGNED-PAYLOAD for sign_as_s3

all s3 requests default to UNSIGNED-PAYLOAD and add the required
x-amz-content-sha256 header. this allows CURLAUTH_AWS_SIGV4 to co

aws_sigv4: fall back to UNSIGNED-PAYLOAD for sign_as_s3

all s3 requests default to UNSIGNED-PAYLOAD and add the required
x-amz-content-sha256 header. this allows CURLAUTH_AWS_SIGV4 to correctly
sign s3 requests to amazon with no additional configuration

Signed-off-by: Casey Bodley <cbodley@redhat.com>

Closes #9995

show more ...

http_aws_sigv4: remove typecasts from HMAC_SHA256 macro

V220: Suspicious sequence of types castings: memsize -> 32-bit integer -> memsize.

https://pvs-studio.com/en/docs/warnings/v2

http_aws_sigv4: remove typecasts from HMAC_SHA256 macro

V220: Suspicious sequence of types castings: memsize -> 32-bit integer -> memsize.

https://pvs-studio.com/en/docs/warnings/v220/

Closes #10400

show more ...

copyright: update all copyright lines and remove year ranges

- they are mostly pointless in all major jurisdictions
- many big corporations and projects already don't use them
- save

copyright: update all copyright lines and remove year ranges

- they are mostly pointless in all major jurisdictions
- many big corporations and projects already don't use them
- saves us from pointless churn
- git keeps history for us
- the year range is kept in COPYING

checksrc is updated to allow non-year using copyright statements

Closes #10205

show more ...

aws_sigv4: fix typos in aws_sigv4.c

Closes #10008

aws_sigv4: consult x-%s-content-sha256 for payload hash

`Curl_output_aws_sigv4()` doesn't always have the whole payload in
memory to generate a real payload hash. this commit allows the

aws_sigv4: consult x-%s-content-sha256 for payload hash

`Curl_output_aws_sigv4()` doesn't always have the whole payload in
memory to generate a real payload hash. this commit allows the user to
pass in a header like `x-amz-content-sha256` to provide their desired
payload hash

some services like s3 require this header, and may support other values
like s3's `UNSIGNED-PAYLOAD` and `STREAMING-AWS4-HMAC-SHA256-PAYLOAD`
with special semantics. servers use this header's value as the payload
hash during signature validation, so it must match what the client uses
to generate the signature

CURLOPT_AWS_SIGV4.3 now describes the content-sha256 interaction

Signed-off-by: Casey Bodley <cbodley@redhat.com>

Closes #9804

show more ...

misc: remove duplicated include files

Closes #9796

http_aws_sigv4: fix strlen() check

The check was off-by-one leading to buffer overflow.

Follow-up to 29c4aa00a16872

Detected by OSS-Fuzz

Closes #9714

aws_sigv4: fix header computation

Handle canonical headers and signed headers creation as explained here:
https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.htm

aws_sigv4: fix header computation

Handle canonical headers and signed headers creation as explained here:
https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html

The algo tells that signed and canonical must contain at last host and
x-amz-date.

So we check whatever thoses are present in the curl http headers list.
If they are, we use the one enter by curl user, otherwise we generate
them. then we to lower, and remove space from each http headers plus
host and x-amz-date, then sort them all by alphabetical order.

This patch also fix a bug with host header, which was ignoring the port.

Closes #7966

show more ...

http_aws_sigv4.c: remove two unusued includes

Closes #9080

copyright: make repository REUSE compliant

Add licensing and copyright information for all files in this repository. This
either happens in the file itself as a comment header or in the

copyright: make repository REUSE compliant

Add licensing and copyright information for all files in this repository. This
either happens in the file itself as a comment header or in the file
`.reuse/dep5`.

This commit also adds a Github workflow to check pull requests and adapts
copyright.pl to the changes.

Closes #8869

show more ...

aws-sigv4: fix potentional NULL pointer arithmetic

We need to check if the strchr() call returns NULL (due to missing
char) before we use the returned value in arithmetic. There is no

aws-sigv4: fix potentional NULL pointer arithmetic

We need to check if the strchr() call returns NULL (due to missing
char) before we use the returned value in arithmetic. There is no
live bug here, but fixing it before it can become for hygiene.

Closes: #8814
Reviewed-by: Daniel Stenberg <daniel@haxx.se>

show more ...